Snort mailing list archives
Re: Snort rule to monitor for a specific user login
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 13 Aug 2009 17:37:58 -0500
This sounds like a job for OSSEC, you don't have to really to deploy to every system. You have things that you don't want them access probably on file servers, deploy the OSSEC agent to these boxes along with you domain controllers (they have to auth here at some point) and you should be mostly covered. The rest is just writing rules looking for the logons.. http://www.ossec.net/ Regards, Will On Thu, Aug 13, 2009 at 10:18 AM, Jesse Lands<cryptograffiti () gmail com> wrote:
If you can see the data in network traffic, you can write a rule to find it. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/I guess it would have helped if I was a little more specific. I want to monitor for a list of Windows logins used across the network. Users who don't have access or shouldn't anymore. I have a list of logins that are in use, but don't have a central log collection and have to many computers to individually check each system. Thanks again Jesse ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Nigel Houghton (Aug 13)
- Re: Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Richard Bejtlich (Aug 13)
- Re: Snort rule to monitor for a specific user login Joel Esler (Aug 13)
- Re: Snort rule to monitor for a specific user login Will Metcalf (Aug 13)
- Re: Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Nigel Houghton (Aug 13)